Movatterモバイル変換

[0]ホーム
URL:

US8799639B2 - Method and apparatus for converting authentication-tokens to facilitate interactions between applications - Google Patents

Method and apparatus for converting authentication-tokens to facilitate interactions between applicationsDownload PDF

Info

Publication number
US8799639B2
US8799639B2US11/493,693US49369306AUS8799639B2US 8799639 B2US8799639 B2US 8799639B2US 49369306 AUS49369306 AUS 49369306AUS 8799639 B2US8799639 B2US 8799639B2
Authority
US
United States
Prior art keywords
authentication
token
application
command
execution request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/493,693
Other versions
US20080046715A1 (en
Inventor
Alex G. Balazs
Zane Z. Y. Pan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intuit Inc
Original Assignee
Intuit Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intuit IncfiledCriticalIntuit Inc
Priority to US11/493,693priorityCriticalpatent/US8799639B2/en
Assigned to INTUIT, INC.reassignmentINTUIT, INC.ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: PAN, ZANE Z. Y., BALAZS, ALEX G.
Priority to AU2007203101Aprioritypatent/AU2007203101B8/en
Priority to GB0713184.0Aprioritypatent/GB2440425B/en
Priority to DE102007033615.4Aprioritypatent/DE102007033615B4/en
Priority to CN2007101390245Aprioritypatent/CN101114237B/en
Publication of US20080046715A1publicationCriticalpatent/US20080046715A1/en
Application grantedgrantedCritical
Publication of US8799639B2publicationCriticalpatent/US8799639B2/en
Activelegal-statusCriticalCurrent
Adjusted expirationlegal-statusCritical

Links

Images

Classifications

Definitions

Landscapes

Abstract

One embodiment of the present invention provides a system that converts authentication-tokens to facilitate interactions between applications. During operation, the system receives a command-execution request from a first application, wherein the command-execution request specifies a command to execute on a second application. Subsequently, the system verifies a first authentication-token included with the command-execution request. Next, the system translates the first authentication-token into a form associated with the second application to produce a second authentication-token. The system then modifies the command-execution request by replacing the first authentication-token with the second-authentication-token to create a modified command-execution request. Then, the system sends the modified command-execution request to the second application.

Description

BACKGROUNDRelated Art
Many applications perform operations which involve contacting another application. Often, each of these applications has its own distinct user-authentication procedure. Thus, when a user activates a feature in a first application, and the feature communicates with a second application, the second application often requires the user to re-authenticate. For example, a tax-preparation application may include the ability to perform operations which involve communicating with a financial application, but in order for a user who is already authenticated by the tax-preparation application to perform these operations, the user must first re-authenticate with the financial application.
Hence, each time an application communicates with another application, the user may have to re-authenticate. This need to re-authenticate prevents an organization from providing a seamless user experience, and can be time-consuming and inconvenient for a busy user.
SUMMARY
One embodiment of the present invention provides a system that converts authentication-tokens to facilitate interactions between applications. During operation, the system receives a command-execution request from a first application, wherein the command-execution request specifies a command to execute on a second application. Subsequently, the system verifies a first authentication-token included with the command-execution request. Next, the system translates the first authentication-token into a form associated with the second application to produce a second authentication-token. The system then modifies the command-execution request by replacing the first authentication-token with the second-authentication-token to create a modified command-execution request. Then, the system sends the modified command-execution request to the second application.
In a variation on this embodiment, the first application is located on the same computer system as the second application.
In a variation on this embodiment, the command-execution request from the first application can include: a target Uniform Resource Locator (URL) which specifies the location of the second application; a first authentication-token type which specifies a form of the first authentication-token; a second authentication-token type which specifies a form of the second authentication-token; a user identifier for a user who is associated with the first authentication-token; payload data for the second application; and the command.
In a variation on this embodiment, verifying the first authentication-token involves identifying a first authentication-token type for the first authentication-token. Next, the system uses decryption rules associated with the first authentication-token type to decrypt the first authentication-token to obtain a decrypted first authentication-token. Subsequently, the system verifies the validity of the decrypted first authentication-token.
In a further variation, verifying the validity of the decrypted first authentication-token can involve verifying that the decrypted first authentication-token has not expired, and verifying that the decrypted first authentication-token is associated with a user identifier.
In a variation on this embodiment, translating the first authentication-token involves identifying a second authentication-token type which specifies a form of the second authentication-token for the second application. Next, the system identifies a second user identifier which is mapped to a first user identifier, wherein the first user identifier is associated with the first authentication-token. The system then creates the second authentication-token, wherein the second authentication-token is associated with the second user identifier, wherein the second authentication-token is of the form specified by the second authentication-token type.
In a further variation, creating the second authentication-token involves requesting the second authentication-token from a third-party authentication-token provider. Subsequently, the system receives the second authentication-token from the third-party authentication-token provider.
In a further variation, the second user identifier is the same as the first user identifier.
In a variation on this embodiment, the first authentication-token and the second authentication-token can include a cookie, a digital certificate, a user-name/password pair, a cryptographic key, and a biometric identifier.
In a variation on this embodiment, modifying the command-execution request involves modifying the command to have a format associated with the second application. Subsequently, the system includes the modified command with the modified command-execution request.
BRIEF DESCRIPTION OF THE FIGURES
FIG. 1 illustrates a computing environment in accordance with an embodiment of the present invention.
FIG. 2 presents a flowchart illustrating the process of translating a command-execution request from a format associated with a first application to a format associated with a second application in accordance with an embodiment of the present invention.
FIG. 3 presents a flowchart illustrating the process of verifying an authentication-token in accordance with an embodiment of the present invention.
FIG. 4 presents a flowchart illustrating the process of translating a first authentication-token with a first authentication-token type to a second authentication-token type in accordance with an embodiment of the present invention.
DETAILED DESCRIPTION
The following description is presented to enable any person skilled in the art to make and use the invention, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present invention. Thus, the present invention is not limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
The data structures and code described in this detailed description are typically stored on a computer-readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. This includes, but is not limited to, volatile memory, non-volatile memory, magnetic and optical storage devices such as disk drives, magnetic tape, CDs (compact discs), DVDs (digital versatile discs or digital video discs), or other media capable of storing computer readable media now known or later developed.
Overview
One embodiment of the present invention provides a Single Sign-on Session Bridge, hereinafter referred to as a “bridge,” which solves the problem of bridging distinct domains associated with various security tokens. The bridge accomplishes this by securely translating a security token from one domain to another, and/or translating one type of security token to another type of security token.
For example, in one embodiment of the present invention, when a user clicks a link associated with an application, the application posts a session-token, or authentication-token, to the bridge. In this embodiment, the bridge can live in a virtual domain of the destination system, wherein the destination system hosts a second application, and wherein the link refers to the destination system. The bridge is then able to translate the authentication-token into a form associated with the destination system. Using the translated authentication-token, the bridge authenticates the user to the destination system, and subsequently, redirects the user to the destination system.
Computer System
FIG. 1 illustrates acomputing environment100 in accordance with an embodiment of the present invention.
Computing environment100 can generally include any type of computer system which can comprise a computer system based on a microprocessor, a mainframe computer, a digital signal processor, a portable computing device, a personal organizer, a device controller, and a computational engine within an appliance. Specifically,computing environment100 can compriseclient110,laptop120,network130,server140,server150,server160,application145,application165, andbridge190.
Client110 andlaptop120 can generally include any node on a network including computational capability and including a mechanism for communicating across the network.
Network130 can generally include any type of wired or wireless communication channel capable of coupling together computing nodes. This includes, but is not limited to, a local area network, a wide area network, or a combination of networks. In one embodiment of the present invention,network130 comprises the Internet.
Servers140,150, and160 can generally include any nodes on a computer network which comprises a mechanism for servicing requests from a client for computational and/or data storage resources.
Applications145 and165 can generally include any computer program. In one embodiment of the present invention,server140 executesapplication145, andserver160 executesapplication165.
In one embodiment of the present application,applications145 and165 are instances of the same application.
In one embodiment of the present application,applications145 and165 are instances of different applications.
In one embodiment of the present application,applications145 and165 are components of the same application.
Bridge190 can generally include any system that receives an authentication-token in a form associated with afirst application145 and translates the authentication-token to a form associated with asecond application165. In one embodiment of the present invention,bridge190 can be an application hosted byclient110,laptop120, or a server, such asserver140.
In one embodiment of the present invention, user112 accessesapplication145 viaclient110. Before user112 can begin usingapplication145, user112 authenticates toapplication145, which involvesapplication145 creating an authentication-token associated with user112. While usingapplication145, user112 clicks on a link that directsapplication145 to send a command-execution request to bridge190 that includes the authentication-token and a command forapplication165 to execute.Bridge190 then converts the authentication-token into a form thatapplication165 can process. Next,bridge190 sends a modified command-execution request toapplication165 which includes the converted authentication-token as well as the command forapplication165 to execute.
In one embodiment of the present invention, in response to receiving the authentication-token fromapplication145, bridge190 requests a second authentication-token from a third-party system, such asserver150, wherein the second authentication-token is in a form associated withapplication165.Server150 then sends the second authentication-token to bridge190, which subsequently, sends the second authentication-token toapplication165 along with the command forapplication165 to execute.
In one embodiment of the present invention,administrator122 provides rules to bridge190 vialaptop120. These rules instructbridge190 on how to convert authentication-tokens into other types of authentication-tokens.
In one embodiment of the present invention,bridge190 can present user112 with a user-interface associated withbridge190,application145, orapplication165. In one embodiment of the present invention, this user-interface is non-interactive. In this embodiment, the user-interface can provide user112 with a status report for the command-execution request, or a splash screen associated withapplication145,application165, orbridge190.
In one embodiment of the present invention, the user-interface is interactive. In this embodiment, user112 can provide information to bridge190 via the user-interface. Bridge190 can use the information to facilitate processing of the command-execution request.
In one embodiment of the present invention, the command-execution request includes data that enablesbridge190 to customize the user-interface.
In one embodiment of the present invention,bridge190 does not present a user-interface to user112. In this embodiment, user112 may not be aware of the existence ofbridge190. This embodiment allows an organization to provide a seamless experience to user112 while using multiple applications.
Translating a Command-Execution Request
FIG. 2 presents a flowchart illustrating the process of translating a command-execution request from a format associated with a first application to a format associated with a second application in accordance with an embodiment of the present invention.
The process begins whenbridge190 receives a command-execution request fromapplication145, whichserver140 hosts (step202). In one embodiment of the present invention, the command-execution request includes: a target Uniform Resource locator (URL), wherein the target URL specifies the location ofapplication165; a first authentication-token type which specifies a form of a first authentication-token, wherein the form of the first authentication-token is associated withapplication145; a second authentication-token type which specifies a form of a second authentication-token, wherein the form of the second authentication-token is associated withapplication165; a user identifier which is associated with the first authentication-token; payload data which allowsapplication165 to execute the command; and a command forapplication165 to execute.
In one embodiment of the present invention, the target URL specifies the location of a web-page associated withapplication165.
In one embodiment of the present invention, the target URL specifies an entry point intoapplication165.
In one embodiment of the present invention, the command-execution request can specify the location ofapplication165, or an entry point intoapplication165 using any protocol known to those familiar with the art.
Next,bridge190 verifies the validity of a first authentication-token, which is included with the command-execution request (step204). Note that this is a multi-step process, which is described in more detail below with reference toFIG. 3.
In one embodiment of the present invention, the first authentication-token can include a cookie, a digital certificate, a user-name/password pair, a cryptographic key, a biometric identifier, and any other form of authentication-token known to those familiar with the art.
After verifying the validity of the first authentication-token,bridge190 translates the first authentication-token to a form associated withapplication165 to obtain a second authentication-token (step206). Note that this is a multi-step process, which is described in more detail below with reference toFIG. 4.
In one embodiment of the present invention, the second authentication-token can include a cookie, a digital certificate, a user-name/password pair, a cryptographic key, a biometric identifier, and any other form of authentication-token known to those familiar with the art.
In one embodiment of the present invention,server140 hosts bothapplication145 andapplication165.
In one embodiment of the present invention,application145 andapplication165 are two components of the same application.
Next,bridge190 modifies the command-execution request to create a modified command-execution request by replacing the first authentication-token with the second authentication-token (step208).
In one embodiment of the present invention,bridge190 modifies the command received fromapplication145 to create a modified command (step210). To create this modified command,bridge190 alters the format of the command to match a format associated withapplication165. This allowsapplication165 to execute the command. After creating the modified command,bridge190 includes the modified command with the modified command-execution request (step212). For example, in one embodiment of the present invention,application145 formats a command in the following order: a command type, a variable, and then a value for the variable. However,application165 formats the same command to specify the command type after the value for the variable. Thus, forapplication165 to execute a command issued byapplication145,bridge190 re-formats the command fromapplication145 to match the command-format associated withapplication165. These steps are optional as illustrated by the dashedlines surrounding steps210 and212.
Oncebridge190 has finished creating the modified command-execution request,bridge190 sends the modified command-execution request to application165 (step214).
Verifying an Authentication-Token
FIG. 3 presents a flowchart illustrating the process of verifying an authentication-token in accordance with an embodiment of the present invention.
The process begins withbridge190 attempting to identify a first authentication-token type for a first authentication-token included with a command-execution request (step302). In one embodiment of the present invention, bridge190 attempts to identify the first authentication-token type by comparing the format of the first authentication-token to a set of known authentication-token formats. In this embodiment,administrator122 specifies the set of known authentication-token formats to bridge190 prior to bridge190 receiving the command-execution request. This enablesapplication145 to communicate with applications that use different authentication-token types without modifyingapplication145.
In one embodiment of the present invention, the command-execution request specifies the first authentication-token type.
Ifbridge190 is able to identify the first authentication-token type, then bridge190 decrypts the first-authentication token using a decryption-rule associated with the first authentication-token type to obtain a decrypted first authentication-token (step304).
In one embodiment of the present invention,bridge190 decrypts the first authentication-token before identifying the first authentication-token type. In this embodiment,bridge190 is capable of identifying the decryption-rule without identifying the first authentication-token type.
In one embodiment of the present invention,application145 does not encrypt the first authentication-token, hence,bridge190 does not have to decrypt the first authentication-token.
After decrypting the first authentication-token,bridge190 verifies the validity of the decrypted first authentication-token (step306). Verifying the validity of the decrypted first authentication-token can involve: verifying that the decrypted first authentication-token has not expired; verifying that the decrypted first authentication-token is associated with a user identifier, wherein the user identifier is associated with user112; verifying that the decrypted first authentication-token has not been tampered with; and any other token-verification process known to those familiar with the art.
In one embodiment of the present invention, verifying that the decrypted first authentication-token has not been tampered with can involve: verifying a hash value associated with the decrypted first authentication-token; verifying a digital certificate associated with the decrypted first authentication-token; verifying a cryptographic key associated with the decrypted first authentication-token; and any other process for identifying if the decrypted first authentication-token has been tampered with known to those familiar with the art.
Ifbridge190 determines that the decrypted first authentication-token is valid, then bridge190 proceeds to step206. Ifbridge190 is not able to identify the first authentication-token type, or ifbridge190 determines that the decrypted first authentication-token is not valid, then bridge190 rejects the command-execution request (step308).Bridge190 then sends an error message to application145 (step310). At this point, the process ends, andbridge190 does not continue to step206.
In one embodiment of the present invention, sending the error message can include reporting that the authentication-token is expired, reporting that the authentication-token is invalid, reporting thatbridge190 cannot determine how to translate the authentication-token to a format associated withapplication165, reporting thatbridge190 is unavailable, and reporting any other error-message type known to those familiar with the art.
In one embodiment of the present invention,bridge190 can request that user112 re-authenticate withapplication145. In this embodiment,application145 re-sends the command-execution request after user112 re-authenticates withapplication145.
In one embodiment of the present invention,bridge190 does not send an error message toapplication145.
Translating an Authentication-Token
FIG. 4 presents a flowchart illustrating the process of translating a first authentication-token associated with a first authentication-token type to a second authentication-token type in accordance with an embodiment of the present invention.
The process begins withbridge190 attempting to identify a second authentication-token type, wherein the second authentication-token type is associated with application165 (step402). In one embodiment of the present invention,bridge190 determines the second authentication-token type based on a target application, such asapplication165, of the command-execution request. In this embodiment,administrator122 associates the second authentication-token type withapplication165 prior to bridge190 receiving the command-execution request.
In one embodiment of the present invention,application145 includes the second authentication-token type with the command-execution request.
Ifbridge190 is successful in identifying the second authentication-token type, then bridge190 determines if there is a translation-rule associated with the first authentication-token type and the second authentication-token type (step404). Note that the translation-rule specifies how to translate the first authentication-token into the format associated with the second-authentication token type to obtain the second authentication-token. In one embodiment of the present invention,administrator122 associates the translation-rule with the first authentication-token type and the second authentication-token type prior to bridge190 receiving the command-execution request.
Ifbridge190 is successful in identifying a translation-rule associated with the second authentication-token type, then bridge190 determines if there is a user-identifier mapping (step406). Note that the user-identifier mapping specifies a second user identifier for a given combination of first user identifier, first authentication-token type, and second authentication-token type.Bridge190 includes the second user identifier with the modified command-execution request thatbridge190 sends toapplication165.
In one embodiment of the present invention, the first user identifier and the second user identifier are the same user identifiers.
Ifbridge190 is successful in identifying a user-identifier mapping, then bridge190 uses the translation-rule to create a second authentication-token of the second authentication-token type (step408).Bridge190 then proceeds to executestep208.
In one embodiment of the present invention,bridge190 uses a combination of the translation-rule and the user-identifier mapping to facilitate in creating the second authentication-token.
In one embodiment of the present invention,bridge190 creates the second authentication-token by requesting the second authentication-token from a third-party, such asserver150, associated with the second authentication-token type. For example, if the second authentication-token type indicates thatapplication165 requires a digital certificate to authenticate user112, and thatserver150 is a certificate authority, then bridge190 can contactserver150 to obtain the digital certificate.Server150 can then send the second authentication-token to bridge190.
Ifbridge190 cannot identify the second authentication-token type, a translation-rule, or a user-identifier mapping, then bridge190 rejects the command-execution request (step410).Bridge190 then sends an error message to application145 (step412). At this point, the process ends, andbridge190 does not continue to step208.
In one embodiment of the present invention, sending the error message can include reporting that the authentication-token is expired, that the authentication-token is invalid, thatbridge190 cannot determine how to translate the authentication-token to a format associated withapplication165, thatbridge190 is unavailable, and any other error-message type known to those familiar with the art.
In one embodiment of the present invention,bridge190 can contact user112 to request identification of the first authentication-token type, second authentication-token type, a translation-rule, or a user-identifier mapping. In this embodiment,bridge190 can store user112's response to this request. Thus, ifbridge190 receives a second command-execution request from user112,bridge190 will be able to complete the request without user112's assistance. Note that this embodiment can enable user112 toprogram bridge190 to perform authentication-token translations that are in addition to those programmed byadministrator122.
In one embodiment of the present invention,bridge190 can contactadministrator122 to request identification of the first authentication-token type, second authentication-token type, a translation-rule, or a user-identifier mapping. In this embodiment,administrator122 does not need to specify the set of known authentication-token formats, associate the authentication-token formats with the applicable applications, specify a translation-rule, or specify a user-identifier mapping prior to bridge190 receiving the command-execution request.
In one embodiment of the present invention,bridge190 does not send an error message toapplication145.
The foregoing descriptions of embodiments of the present invention have been presented only for purposes of illustration and description. They are not intended to be exhaustive or to limit the present invention to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art. Additionally, the above disclosure is not intended to limit the present invention. The scope of the present invention is defined by the appended claims.

Claims (26)

What is claimed is:
1. A computer-implemented method for converting authentication-tokens, comprising:
receiving, at a computer, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;
verifying the first authentication-token at the computer;
translating the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;
modifying the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and
sending the modified command-execution request to the second application,
wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.
2. The method ofclaim 1, wherein the first application is located on the same computer system as the second application.
3. The method ofclaim 1, wherein the command-execution request comprises a first authentication-token type which specifies a form of the first authentication-token.
4. The method ofclaim 1, wherein verifying the first authentication-token further comprises:
identifying a first authentication-token type for the first authentication-token;
using decryption rules associated with the first authentication-token type to decrypt the first authentication-token to produce a decrypted first authentication-token; and
verifying the validity of the decrypted first authentication-token.
5. The method ofclaim 4, wherein verifying the validity of the decrypted first authentication-token can involve:
verifying that the decrypted first authentication-token has not expired; and
verifying that the decrypted first authentication-token is associated with a user identifier.
6. The method ofclaim 1, wherein translating the first authentication-token further comprises:
identifying the second authentication-token type;
identifying a second user identifier which is mapped from the user identifier; and
creating the second authentication-token associated with the second user identifier, wherein the second authentication-token is of the form specified by the second-authentication-token type.
7. The method ofclaim 6, wherein creating the second authentication-token can involve:
requesting the second authentication-token from a third-party authentication-token provider; and
receiving the second authentication-token from the third-party authentication-token provider.
8. The method ofclaim 6, wherein the second user identifier comprises the user identifier.
9. The method ofclaim 1, wherein the first authentication-token and the second authentication-token include one or more of:
a cookie;
a digital certificate;
a user-name/password pair;
a cryptographic key; and
a biometric identifier.
10. The method ofclaim 1, wherein modifying the command-execution request further comprises:
modifying a format of the command to a format associated with the second application; and
including the modified command with the modified command-execution request.
11. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for converting authentication-tokens, the method comprising:
receiving, at a bridge, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;
verifying the first authentication-token at the bridge;
translating the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;
modifying the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and
sending the modified command-execution request to the second application,
wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.
12. The computer-readable storage medium ofclaim 11, wherein the first application is located on the same computer system as the second application.
13. The computer-readable storage medium ofclaim 11, wherein the command-execution request comprises a first authentication-token type which specifies a form of the first authentication-token.
14. The computer-readable storage medium ofclaim 11, wherein verifying the first authentication-token further comprises:
identifying a first authentication-token type for the first authentication-token;
using decryption rules associated with the first authentication-token type to decrypt the first authentication-token to produce authentication-token; and
verifying the validity of the decrypted first authentication-token.
15. The computer-readable storage medium ofclaim 14, wherein verifying the validity of the decrypted first authentication-token can involve:
verifying that the decrypted first authentication-token has not expired; and
verifying that the decrypted first authentication-token is associated with a user identifier.
16. The computer-readable storage medium ofclaim 11, wherein translating the first authentication-token further comprises:
identifying the second authentication-token type;
identifying a second user identifier which is mapped from and the user identifier; and
creating the second authentication-token associated with the second user identifier, wherein the second authentication-token is of the form specified by the second-authentication-token type.
17. The computer-readable storage medium ofclaim 16, wherein creating the second authentication-token can involve:
requesting the second authentication-token from a third-party authentication-token provider; and
receiving the second authentication-token from the third-party authentication-token provider.
18. The computer-readable storage medium ofclaim 16, wherein the second user identifier comprises the user identifier.
19. The computer-readable storage medium ofclaim 11, wherein the first authentication-token and the second authentication-token include one or more of:
a cookie;
a digital certificate;
a user-name/password pair;
a cryptographic key; and
a biometric identifier.
20. The computer-readable storage medium ofclaim 11, wherein modifying the command-execution request further comprises:
modifying a format of the command to a format associated with the second application; and
including the modified command with the modified command-execution request.
21. An apparatus that converts authentication-tokens, comprising:
a receiving mechanism configured to receive, at a bridge, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;
a verification mechanism configured to verify the first authentication token at the bridge;
a translation mechanism configured to translate the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;
a modification mechanism configured to modify the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and
a sending mechanism configured to send the modified command-execution request to the second application,
wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.
22. The apparatus ofclaim 21, wherein the verification mechanism further comprises:
an identification mechanism configured to identify a first authentication-token type for the first authentication-token;
a decryption mechanism configured to use decryption rules associated with the first authentication-token type to decrypt the first authentication-token to produce a decrypted first authentication-token; and
a second verification mechanism configured to verify the validity of the decrypted first authentication-token.
23. The apparatus ofclaim 21, wherein the translation mechanism further comprises:
an identification mechanism configured to identify the second authentication-token type;
a second identification mechanism configured to identify a second user identifier which is mapped from and the user identifier; and
a creation mechanism configured to create the second authentication-token associated with the second user identifier, wherein the second authentication-token is of the form specified by the second-authentication-token type.
24. The apparatus ofclaim 22, wherein the second verification mechanism is further configured to:
verify that the decrypted first authentication-token has not expired; and to
verify that the decrypted first authentication-token is associated with a user identifier.
25. The apparatus ofclaim 23, wherein the creation mechanism further comprises:
a requesting mechanism configured to request the second authentication-token from a third-party authentication-token provider; and
a receiving mechanism configured to receive the second authentication-token from the third-party authentication-token provider.
26. The apparatus ofclaim 21, wherein the modification mechanism is further configured to:
modify a format of the command to a format associated with the second application; and to
include the modified command with the modified command-execution request.
US11/493,6932006-07-252006-07-25Method and apparatus for converting authentication-tokens to facilitate interactions between applicationsActive2030-07-31US8799639B2 (en)

Priority Applications (5)

Application NumberPriority DateFiling DateTitle
US11/493,693US8799639B2 (en)2006-07-252006-07-25Method and apparatus for converting authentication-tokens to facilitate interactions between applications
AU2007203101AAU2007203101B8 (en)2006-07-252007-07-03Method and apparatus for converting authentication-tokens to facilitate interactions between applications
GB0713184.0AGB2440425B (en)2006-07-252007-07-06Method and apparatus for converting authentication-tokens
DE102007033615.4ADE102007033615B4 (en)2006-07-252007-07-17 Method and apparatus for converting authentication tokens to enable interactions between applications
CN2007101390245ACN101114237B (en)2006-07-252007-07-23Method and apparatus for converting authentication-tokens to facilitate interactions between applications

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
US11/493,693US8799639B2 (en)2006-07-252006-07-25Method and apparatus for converting authentication-tokens to facilitate interactions between applications

Publications (2)

Publication NumberPublication Date
US20080046715A1 US20080046715A1 (en)2008-02-21
US8799639B2true US8799639B2 (en)2014-08-05

Family

ID=38440550

Family Applications (1)

Application NumberTitlePriority DateFiling Date
US11/493,693Active2030-07-31US8799639B2 (en)2006-07-252006-07-25Method and apparatus for converting authentication-tokens to facilitate interactions between applications

Country Status (5)

CountryLink
US (1)US8799639B2 (en)
CN (1)CN101114237B (en)
AU (1)AU2007203101B8 (en)
DE (1)DE102007033615B4 (en)
GB (1)GB2440425B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20120167186A1 (en)*2009-07-142012-06-28Bundesdruckerei GmbhMethod for producing a soft token
US20130318569A1 (en)*2012-05-222013-11-28International Business Machines CorporationPropagating Delegated Authorized Credentials Through Legacy Systems
US20220337576A1 (en)*2021-04-152022-10-20Jpmorgan Chase Bank, N.A.System and method for smart authentication

Families Citing this family (54)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
WO2005086802A2 (en)2004-03-082005-09-22Proxense, LlcLinked account system using personal digital key (pdk-las)
EP1829283A2 (en)2004-12-202007-09-05Proxense, LLCBiometric personal data key (pdk) authentication
US8219129B2 (en)2006-01-062012-07-10Proxense, LlcDynamic real-time tiered client access
US11206664B2 (en)2006-01-062021-12-21Proxense, LlcWireless network synchronization of cells and client devices on a network
US7904718B2 (en)2006-05-052011-03-08Proxense, LlcPersonal digital key differentiation for secure transactions
US9269221B2 (en)2006-11-132016-02-23John J. GobbiConfiguration of interfaces for a location detection system and application
US8073558B2 (en)2007-10-052011-12-06Honeywell International IncCritical resource notification system and interface device
US8659427B2 (en)2007-11-092014-02-25Proxense, LlcProximity-sensor supporting multiple application services
US8171528B1 (en)2007-12-062012-05-01Proxense, LlcHybrid device having a personal digital key and receiver-decoder circuit and methods of use
US9251332B2 (en)*2007-12-192016-02-02Proxense, LlcSecurity system and method for controlling access to computing resources
WO2009102979A2 (en)2008-02-142009-08-20Proxense, LlcProximity-based healthcare management system with automatic access to private information
WO2009126732A2 (en)2008-04-082009-10-15Proxense, LlcAutomated service-based order processing
US20100185871A1 (en)*2009-01-152010-07-22Authentiverse, Inc.System and method to provide secure access to personal information
US9124535B2 (en)2009-07-172015-09-01Honeywell International Inc.System for using attributes to deploy demand response resources
US9137050B2 (en)2009-07-172015-09-15Honeywell International Inc.Demand response system incorporating a graphical processing unit
US8782190B2 (en)*2009-07-172014-07-15Honeywell International, Inc.Demand response management system
US8671167B2 (en)*2009-07-172014-03-11Honeywell International Inc.System for providing demand response services
US8671191B2 (en)2009-07-172014-03-11Honeywell International Inc.Installation system for demand response resources
US8676953B2 (en)2009-07-172014-03-18Honeywell International Inc.Use of aggregated groups for managing demand response resources
US8572230B2 (en)2009-07-172013-10-29Honeywell International Inc.System for using attributes to deploy demand response resources
US8667132B2 (en)2009-07-172014-03-04Honeywell International Inc.Arrangement for communication about and management of a resource using a mobile device
US9818073B2 (en)2009-07-172017-11-14Honeywell International Inc.Demand response management system
EP2334034B1 (en)*2009-11-112018-06-27BlackBerry LimitedUsing a trusted token and push for validating the request for single sign on
US8522335B2 (en)*2009-12-012013-08-27International Business Machines CorporationToken mediation service in a data management system
US20110202989A1 (en)*2010-02-182011-08-18Nokia CorporationMethod and apparatus for providing authentication session sharing
US9418205B2 (en)2010-03-152016-08-16Proxense, LlcProximity-based system for automatic application or data access and item tracking
US20130144942A1 (en)*2010-03-192013-06-06Gopi Krishnan NambiarSession persistence for accessing textsites
US8918854B1 (en)2010-07-152014-12-23Proxense, LlcProximity-based system for automatic application initialization
US8626354B2 (en)2011-01-282014-01-07Honeywell International Inc.Approach for normalizing automated demand response events in energy management control systems
US8630744B2 (en)2011-01-282014-01-14Honeywell International Inc.Management and monitoring of automated demand response in a multi-site enterprise
US9153001B2 (en)2011-01-282015-10-06Honeywell International Inc.Approach for managing distribution of automated demand response events in a multi-site enterprise
US8857716B1 (en)2011-02-212014-10-14Proxense, LlcImplementation of a proximity-based system for object tracking and automatic application initialization
US20140081704A1 (en)2012-09-152014-03-20Honeywell International Inc.Decision support system based on energy markets
US9389850B2 (en)2012-11-292016-07-12Honeywell International Inc.System and approach to manage versioning of field devices in a multi-site enterprise
US9286323B2 (en)*2013-02-252016-03-15International Business Machines CorporationContext-aware tagging for augmented reality environments
WO2014183106A2 (en)2013-05-102014-11-13Proxense, LlcSecure element as a digital pocket
US9691076B2 (en)2013-07-112017-06-27Honeywell International Inc.Demand response system having a participation predictor
US10346931B2 (en)2013-07-112019-07-09Honeywell International Inc.Arrangement for communicating demand response resource incentives
US9989937B2 (en)2013-07-112018-06-05Honeywell International Inc.Predicting responses of resources to demand response signals and having comfortable demand responses
GB2523331A (en)2014-02-202015-08-26IbmAttribute-based access control
US9665078B2 (en)2014-03-252017-05-30Honeywell International Inc.System for propagating messages for purposes of demand response
CN104580490B (en)*2015-01-202018-09-18无线生活(杭州)信息科技有限公司Order transmission method and device
CN106156648B (en)2015-04-132020-09-04腾讯科技(深圳)有限公司Sensitive operation processing method and device
US9594922B1 (en)*2015-06-302017-03-14EMC IP Holding Company LLCNon-persistent shared authentication tokens in a cluster of nodes
US10162958B2 (en)*2016-03-152018-12-25Ricoh Company, Ltd.Information processing system, information processing method, and non-transitory computer program product
WO2018039233A1 (en)*2016-08-222018-03-01Akamai Technologies, Inc.Providing single sign-on (sso) in disjoint networks with non-overlapping authentication protocols
US10261767B2 (en)*2016-09-152019-04-16Talend, Inc.Data integration job conversion
US10541556B2 (en)2017-04-272020-01-21Honeywell International Inc.System and approach to integrate and manage diverse demand response specifications for multi-site enterprises
US10915897B2 (en)2018-06-132021-02-09Clover Network, Inc.Token management for enhanced omni-channel payments experience and analytics
FR3111203B1 (en)*2020-06-082023-02-10Evidian Computer device and method for authenticating a user
CN112199656B (en)*2020-12-032021-02-26湖北亿咖通科技有限公司Access authority acquisition method of service platform and access control method of service platform
CN112199659B (en)*2020-12-032021-03-23湖北亿咖通科技有限公司Access method, system and electronic device for multi-service platform of vehicle
US20230136230A1 (en)*2021-11-012023-05-04Walmart Apollo, LlcAccess token conversion
DE102023004043A1 (en)2023-10-072025-04-10Mercedes-Benz Group AG Computer-implemented authorization management procedure and information technology system

Citations (13)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20010000358A1 (en)1998-06-122001-04-19Kousei IsomichiGateway system and recording medium
WO2001052025A2 (en)2000-01-102001-07-19Sun Microsystems, Inc.Accessing multiple services with a unique user name
WO2002039237A2 (en)2000-11-092002-05-16International Business Machines CorporationMethod and system for web-based cross-domain single-sign-on authentication
US20020156905A1 (en)2001-02-212002-10-24Boris WeissmanSystem for logging on to servers through a portal computer
US20030177388A1 (en)*2002-03-152003-09-18International Business Machines CorporationAuthenticated identity translation within a multiple computing unit environment
US20060041933A1 (en)2004-08-232006-02-23International Business Machines CorporationSingle sign-on (SSO) for non-SSO-compliant applications
US20060179312A1 (en)*2003-12-232006-08-10Wachovia CorporationAuthentication system for networked computer applications
US20070255958A1 (en)*2006-05-012007-11-01Microsoft CorporationClaim transformations for trust relationships
US20070271618A1 (en)*2006-05-192007-11-22Ching-Yun ChaoSecuring access to a service data object
US20070294528A1 (en)*2004-10-082007-12-20Mamoru ShojiAuthentication System
US20080010665A1 (en)*2006-07-072008-01-10Hinton Heather MMethod and system for policy-based initiation of federation management
US20080109895A1 (en)*2004-08-102008-05-08Koninklijke Philips Electronics, N.V.Method and System for Multi-Authentication Logon Control
US20080134305A1 (en)*2005-12-162008-06-05Hinton Heather MMethod and system for extending authentication methods

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
JP3826764B2 (en)*2001-10-312006-09-27ソニー株式会社 Data processing method, data processing apparatus, and program
US7562382B2 (en)*2004-12-162009-07-14International Business Machines CorporationSpecializing support for a federation relationship

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20010000358A1 (en)1998-06-122001-04-19Kousei IsomichiGateway system and recording medium
WO2001052025A2 (en)2000-01-102001-07-19Sun Microsystems, Inc.Accessing multiple services with a unique user name
WO2001052025A3 (en)2000-01-102002-05-02Sun Microsystems IncAccessing multiple services with a unique user name
WO2002039237A3 (en)2000-11-092003-10-09IbmMethod and system for web-based cross-domain single-sign-on authentication
WO2002039237A2 (en)2000-11-092002-05-16International Business Machines CorporationMethod and system for web-based cross-domain single-sign-on authentication
US20020156905A1 (en)2001-02-212002-10-24Boris WeissmanSystem for logging on to servers through a portal computer
US20030177388A1 (en)*2002-03-152003-09-18International Business Machines CorporationAuthenticated identity translation within a multiple computing unit environment
US20060179312A1 (en)*2003-12-232006-08-10Wachovia CorporationAuthentication system for networked computer applications
US20080109895A1 (en)*2004-08-102008-05-08Koninklijke Philips Electronics, N.V.Method and System for Multi-Authentication Logon Control
US20060041933A1 (en)2004-08-232006-02-23International Business Machines CorporationSingle sign-on (SSO) for non-SSO-compliant applications
US20070294528A1 (en)*2004-10-082007-12-20Mamoru ShojiAuthentication System
US20080134305A1 (en)*2005-12-162008-06-05Hinton Heather MMethod and system for extending authentication methods
US20070255958A1 (en)*2006-05-012007-11-01Microsoft CorporationClaim transformations for trust relationships
US20070271618A1 (en)*2006-05-192007-11-22Ching-Yun ChaoSecuring access to a service data object
US20080010665A1 (en)*2006-07-072008-01-10Hinton Heather MMethod and system for policy-based initiation of federation management

Cited By (6)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20120167186A1 (en)*2009-07-142012-06-28Bundesdruckerei GmbhMethod for producing a soft token
US9240992B2 (en)*2009-07-142016-01-19Bundesdruckerei GmbhMethod for producing a soft token
US20130318569A1 (en)*2012-05-222013-11-28International Business Machines CorporationPropagating Delegated Authorized Credentials Through Legacy Systems
US9172694B2 (en)*2012-05-222015-10-27International Business Machines CorporationPropagating delegated authorized credentials through legacy systems
US20220337576A1 (en)*2021-04-152022-10-20Jpmorgan Chase Bank, N.A.System and method for smart authentication
US11632365B2 (en)*2021-04-152023-04-18Jpmorgan Chase Bank, N.A.System and method for smart authentication

Also Published As

Publication numberPublication date
AU2007203101B2 (en)2012-10-11
GB0713184D0 (en)2007-08-15
US20080046715A1 (en)2008-02-21
AU2007203101B8 (en)2013-02-07
DE102007033615A1 (en)2008-01-31
CN101114237B (en)2010-10-13
AU2007203101A1 (en)2008-02-14
GB2440425B (en)2012-01-11
DE102007033615B4 (en)2023-01-19
CN101114237A (en)2008-01-30
GB2440425A (en)2008-01-30

Similar Documents

PublicationPublication DateTitle
US8799639B2 (en)Method and apparatus for converting authentication-tokens to facilitate interactions between applications
JP7457173B2 (en) Internet of Things (IOT) device management
US10581827B2 (en)Using application level authentication for network login
US11082225B2 (en)Information processing system and control method therefor
CN109428947B (en)Authority transfer system, control method thereof and storage medium
US6934848B1 (en)Technique for handling subsequent user identification and password requests within a certificate-based host session
US6976164B1 (en)Technique for handling subsequent user identification and password requests with identity change within a certificate-based host session
CN106209749B (en)Single sign-on method and device, and related equipment and application processing method and device
US9917829B1 (en)Method and apparatus for providing a conditional single sign on
KR101302763B1 (en)Method and apparatus for providing trusted single sign-on access to applications and internet-based services
JP5009294B2 (en) Distributed single sign-on service
US7150038B1 (en)Facilitating single sign-on by using authenticated code to access a password store
US9166975B2 (en)System and method for secure remote access to a service on a server computer
CN104580184B (en)Identity identifying method between mutual trust application system
US20100100950A1 (en)Context-based adaptive authentication for data and services access in a network
US11277404B2 (en)System and data processing method
US20180205745A1 (en)System, method and computer program product for access authentication
TW200833060A (en)Authentication delegation based on re-verification of cryptographic evidence
US10257171B2 (en)Server public key pinning by URL
US9590972B2 (en)Application authentication using network authentication information
US7540020B1 (en)Method and apparatus for facilitating single sign-on to applications
CN111147525A (en)Authentication method, system, server and storage medium based on API gateway
CN114338078B (en) A CS client login method and device
CN114584381A (en)Security authentication method and device based on gateway, electronic equipment and storage medium
KR102741305B1 (en)System and method for controlling file encryption and decryption permissions in shared folders

Legal Events

DateCodeTitleDescription
ASAssignment

Owner name:INTUIT, INC., CALIFORNIA

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BALAZS, ALEX G.;PAN, ZANE Z. Y.;REEL/FRAME:018137/0403;SIGNING DATES FROM 20060713 TO 20060718

Owner name:INTUIT, INC., CALIFORNIA

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BALAZS, ALEX G.;PAN, ZANE Z. Y.;SIGNING DATES FROM 20060713 TO 20060718;REEL/FRAME:018137/0403

FEPPFee payment procedure

Free format text:PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCFInformation on status: patent grant

Free format text:PATENTED CASE

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment:4

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment:8
[8]ページ先頭
©2009-2025 Movatter.jp